Page 2 of 3 1 2 3
Reply
Thread Tools
Ricky-Lee is offline Ricky-Lee
2008-12-11 , 00:34
Posts: 47 | Thanked: 10 times | Joined on Jan 2008 @ UK
#11
Originally Posted by brendan View Post
why not just
Code:
vi /etc/sysconfig/iptables
?
[1|root@minidemon|~]ls /etc/sysconfig/iptables
ls: /etc/sysconfig/iptables: No such file or directory
 
allnameswereout's Avatar
allnameswereout is offline allnameswereout
2008-12-11 , 12:17
Posts: 3,397 | Thanked: 1,212 times | Joined on Jul 2008 @ Netherlands
#12
Originally Posted by Ricky-Lee View Post
[1|root@minidemon|~]ls /etc/sysconfig/iptables
ls: /etc/sysconfig/iptables: No such file or directory
Forget about that. /etc/sysconfig is RedHat-specific. Might also be used on RedHat-based or RedHat-related OSes.
__________________
Goosfraba! All text written by allnameswereout is public domain unless stated otherwise. Thank you for sharing your output!
 
brendan's Avatar
brendan is offline brendan
2008-12-11 , 12:50
Posts: 531 | Thanked: 79 times | Joined on Oct 2006 @ This side of insane, that side of genius
#13
right, i keep forgetting that debian doesnt follow the (same) standards that red-hat/fedora do.

what does this return:
Code:
ls -l `which iptables`
__________________
Nokia n800
OS 2008
Pharos iGPS 360-BT
ElmScan 5 BlueTooth
BlackBerry Bold (9000)
AT&T Wireless
Last edited by brendan; 2008-12-11 at 12:53.
 
allnameswereout's Avatar
allnameswereout is offline allnameswereout
2008-12-11 , 14:05
Posts: 3,397 | Thanked: 1,212 times | Joined on Jul 2008 @ Netherlands
#14
They're not standards

/sbin/iptables on Maemo/Debian/Ubuntu.
__________________
Goosfraba! All text written by allnameswereout is public domain unless stated otherwise. Thank you for sharing your output!
 
grog's Avatar
grog is offline grog
2008-12-11 , 16:11
Posts: 546 | Thanked: 85 times | Joined on Feb 2008 @ Winnipeg, Canada
#15
Originally Posted by gsagers View Post
Thanks, great tip! I'd offer the following change for those who want remote SSH access to their Nokia from anywhere - and if I typed something wrong, please correct me - I'm no iptables guru, but it seems to work here!

Code:
#!/bin/sh
iptables -F
iptables -A INPUT -p all -s 127.0.0.1 -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp --syn -j DROP
Originally Posted by allnameswereout View Post
NOTE you should accept traffic to/from local loopback device instead of 127.0.0.1. You should deny traffic from 127.0.0.1 on network because this can only be spoofed traffic. However, I'm no IPT wizard; I prefer OpenBSD PF.
Just want to put it all together & try to figure out a problem. First off, is this modification correct based on the above?

Code:
#!/bin/sh
iptables -F
iptables -A INPUT -p all -s loopback -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp --syn -j DROP
Secondly, why would either of the above forms kill this port forwarding I use to give the remote site access to my IT from behind a NAT router?
Code:
ssh -R 9999:localhost:22 -l remuser -p remport -N remote.site.com
As I understand, port 9999 is just the remote site's access port directed to port 22 on the IT. Unless the port 22 ACCEPT line in the rules is incorrect, but I have no other way to test right now. TX
__________________
GROG!
N900 | ZAGG Body Armour | 16Gb A-DATA micro-sd
N810 | 2 x Patriot 8gb mini-SD | Boxwave Crystal Clear SS | Black Aluminum case | OTG dongle
N800 | 2 x 8gb OCX SD | Boxwave Anti-glare SS | PDAir book-style case
Holux M-1200 bluetooth GPS | iGo 4-row bluetooth keyboard | Linksys USB 10/100 ethernet | Plantronics Voyager 855 BT Headset
 
brendan's Avatar
brendan is offline brendan
2008-12-11 , 16:44
Posts: 531 | Thanked: 79 times | Joined on Oct 2006 @ This side of insane, that side of genius
#16
no, it should be
Code:
iptables -A INPUT -p all -s lo -j ACCEPT
since ifconfig uses the lo convention, not loopback for the name of that interface.

as far as the reverse port forwarding you do with ssh, i dont think that would be killed via iptables, because the traffic would be tunneled through ssh, not be a seperate connection. you would have to be listening for ssh on all interfaces too, not just the wlan0 interface.

you sshd_config should have the following directive:
Code:
ListenAddress 0.0.0.0
__________________
Nokia n800
OS 2008
Pharos iGPS 360-BT
ElmScan 5 BlueTooth
BlackBerry Bold (9000)
AT&T Wireless
 

The Following 2 Users Say Thank You to brendan For This Useful Post:
grog's Avatar
grog is offline grog
2008-12-12 , 15:11
Posts: 546 | Thanked: 85 times | Joined on Feb 2008 @ Winnipeg, Canada
#17
Originally Posted by brendan View Post
no, it should be
Code:
iptables -A INPUT -p all -s lo -j ACCEPT
since ifconfig uses the lo convention, not loopback for the name of that interface.
Strange, 'cause even though ifconfig shows lo active (as it should be), iptables gives 'host/network `lo' not found'.

as far as the reverse port forwarding you do with ssh, i dont think that would be killed via iptables, because the traffic would be tunneled through ssh, not be a seperate connection. you would have to be listening for ssh on all interfaces too, not just the wlan0 interface.

you sshd_config should have the following directive:
Code:
ListenAddress 0.0.0.0
The line is there but commented out. Funny thing is that it seems to be working now. Must've been something else that killed my connection before.

TX
__________________
GROG!
N900 | ZAGG Body Armour | 16Gb A-DATA micro-sd
N810 | 2 x Patriot 8gb mini-SD | Boxwave Crystal Clear SS | Black Aluminum case | OTG dongle
N800 | 2 x 8gb OCX SD | Boxwave Anti-glare SS | PDAir book-style case
Holux M-1200 bluetooth GPS | iGo 4-row bluetooth keyboard | Linksys USB 10/100 ethernet | Plantronics Voyager 855 BT Headset
 
brendan's Avatar
brendan is offline brendan
2008-12-12 , 16:39
Posts: 531 | Thanked: 79 times | Joined on Oct 2006 @ This side of insane, that side of genius
#18
sorry, change the

-s lo

to

-i lo

because lo is an interface, not really a source.
__________________
Nokia n800
OS 2008
Pharos iGPS 360-BT
ElmScan 5 BlueTooth
BlackBerry Bold (9000)
AT&T Wireless
 

The Following User Says Thank You to brendan For This Useful Post:
brendan's Avatar
brendan is offline brendan
2008-12-12 , 16:41
Posts: 531 | Thanked: 79 times | Joined on Oct 2006 @ This side of insane, that side of genius
#19
since the ListenAddress is commented out with 0.0.0.0 as a value, that means its the default, and therefore the daemon listens on all interfaces.

Code:
netstat -na |grep 22
should confirm
__________________
Nokia n800
OS 2008
Pharos iGPS 360-BT
ElmScan 5 BlueTooth
BlackBerry Bold (9000)
AT&T Wireless
 

The Following User Says Thank You to brendan For This Useful Post:
grog's Avatar
grog is offline grog
2008-12-12 , 17:19
Posts: 546 | Thanked: 85 times | Joined on Feb 2008 @ Winnipeg, Canada
#20
Originally Posted by brendan View Post
since the ListenAddress is commented out with 0.0.0.0 as a value, that means its the default, and therefore the daemon listens on all interfaces.

Code:
netstat -na |grep 22
should confirm
That it does. Thanks

Code:
~/bin$ netstat -an | grep :22
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN
tcp        0      0 127.0.0.1:61466         127.0.0.1:22            ESTABLISHED
tcp        0      0 127.0.0.1:22            127.0.0.1:61466         ESTABLISHED
__________________
GROG!
N900 | ZAGG Body Armour | 16Gb A-DATA micro-sd
N810 | 2 x Patriot 8gb mini-SD | Boxwave Crystal Clear SS | Black Aluminum case | OTG dongle
N800 | 2 x 8gb OCX SD | Boxwave Anti-glare SS | PDAir book-style case
Holux M-1200 bluetooth GPS | iGo 4-row bluetooth keyboard | Linksys USB 10/100 ethernet | Plantronics Voyager 855 BT Headset
 
Reply
Page 2 of 3 1 2 3

« Previous Thread | Next Thread »

 
Forum Jump


All times are GMT. The time now is 18:54.

Contact Us - Home - Archive - Top